General

  • Target

    AIMxBeta1.6HOTFIXv1.exe

  • Size

    228KB

  • Sample

    241127-2qdfesznhq

  • MD5

    c8b98c0bd31bb2c4ea106b805c9956b8

  • SHA1

    946228438f142b5cbe2264ad6863590ceb6900c6

  • SHA256

    6db0f6fdbb853cd038a40fa5e1cdcf4d20385cd65c307e201a479c6108f7c7b3

  • SHA512

    66cfbd49b2f55c4f9ba324853feb55a98e6d0ee9b3365b0074b919125c745d0d7bd2702e3b131a11e5dd49155cf3239513f417fcd52406be2ebcf301979c7b3e

  • SSDEEP

    3072:yw+jqz91UbTrIFzwPuP/TkUTxQweW825k0yhOqxrZ25K545Ct2Q:PW291UbQwqzT29hOqxrZs6mI

Malware Config

Extracted

Family

xenorat

C2

192.168.10.100

Mutex

AIMx_nd8912d

Attributes
  • delay

    5000

  • install_path

    appdata

  • port

    4748

  • startup_name

    Windows Security Host

Targets

    • Target

      AIMxBeta1.6HOTFIXv1.exe

    • Size

      228KB

    • MD5

      c8b98c0bd31bb2c4ea106b805c9956b8

    • SHA1

      946228438f142b5cbe2264ad6863590ceb6900c6

    • SHA256

      6db0f6fdbb853cd038a40fa5e1cdcf4d20385cd65c307e201a479c6108f7c7b3

    • SHA512

      66cfbd49b2f55c4f9ba324853feb55a98e6d0ee9b3365b0074b919125c745d0d7bd2702e3b131a11e5dd49155cf3239513f417fcd52406be2ebcf301979c7b3e

    • SSDEEP

      3072:yw+jqz91UbTrIFzwPuP/TkUTxQweW825k0yhOqxrZ25K545Ct2Q:PW291UbQwqzT29hOqxrZs6mI

    • Detect XenoRat Payload

    • XenorRat

      XenorRat is a remote access trojan written in C#.

    • Xenorat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

MITRE ATT&CK Enterprise v15

Tasks